Glitch in PayUMoney Gateway Exposes Users’ Credit Card Details
(Updated to include statement from PayU India)
The credit card details of TRAI Chief and many other users of the PayUMoney Payment Gateway were found to be easily accessible according to Twitter user Srikanth (@logic). Srikanth claims to have been able to access Sharma’s credit card details just by entering his email address in the PayUMoney payment gateway.
This is a privacy risk because any users saved credit card details on the payment gateway can easily be accessed if their mobile numbers or email addresses are known. While the credit card number itself is masked, the CVV field is left open. If a user enters the wrong CVV a few times the card will get blocked.
Blocking a user’s credit card could be exploited as a new way of cyber-bullying or cyber crime. Accessing the card itself opens it up to potential misuse.
When contacted by The Quint, Srikanth highlighted how this glitch could be particularly harmful.
“There are two issues here with PayU displaying the stored cards. Upon entering one’s e-mail ID we are directed to the card with the last 4-digits shown. This raises the danger of someone getting his/her card blocked by the bank across all platforms if a malicious actor keeps entering incorrect CVV numbers. Second, other platforms or entities like supermarkets which have the last 4-digits of our cards can gain access to our e-mails and other personal profile that can be correlated if someone mines this data.Srikanth, Twitter user
The Twitter user particularly targetted Sharma’s card details because the TRAI chief had earlier thrown an open challenge that his details could not be traced just by publicly displaying his Aadhaar number. See link below:
This isn’t the first time that PayUMoney’s payment gateway was seen compromising user’s saved card details. In 2016, a similar issue was reported by a user using Redbus.in’s site to book a ticket with PayU’s gateway.
At that time, PayU had issued a clarification saying that knowing just a part of a credit card number was not harmful.
The Quint reached out to PayU for a comment on this. The company sent us this statement in response.
PayUMoney has successfully been certified level 1 for its security levels as per the PCI-DSS certification for the last 7 consecutive years. We adhere to strict security controls and standards enforcement for all details provided and have been consistently meeting the PCI regulations and ISO 27001. We assure our consumers that information provided on the PayUMoney platform is always secure and we do not share personal information. Protecting the integrity of our merchants and consumer data is of utmost importance for us. We assure our merchants and consumers that we will never compromise on the same.M Navaneethan, CISO & Head IT, PayU India
Meanwhile, if you still feel your credit card details may be compromised, you can delete saved card details by going to PayU’s dashboard here.